-**Enabled Users** shows you total number of unique users in your organization with Copilot for Microsoft 365 licenses over the selected time period.

-**Active Users** shows you total number of enabled users in your organization who tried a user-initiated Copilot for Microsoft 365 feature, in one or more Microsoft 365 apps over the selected time period.

-> If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: [Set up SPF records in Office 365 to help prevent spoofing](../security/office-365-security/email-authentication-spf-configure.md). You can also learn much more about how SPF works with Office 365 by reading [How Office 365 uses Sender Policy Framework (SPF) to help prevent spoofing](../security/office-365-security/email-authentication-anti-spoofing.md).

-After ensuring that your networking is optimized for access to Microsoft 365 for both on-premises and remote workers, your next big tasks are planning for and then configuring your Microsoft 365 tenant for DNS domain names, common services, and for that identity infrastructure that supports secure user sign-in.

-To deploy your tenant:

-## Manage multiple Microsoft 365 tenants

-## Week of January 01, 2024

-| Published On |Topic title | Change |

-|||--|

-| 1/2/2024 | [What's new in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365-whats-new?view=o365-worldwide) | modified |

-| 1/2/2024 | [Change your endpoint security subscription](/microsoft-365/security/defender-business/mdb-manage-subscription?view=o365-worldwide) | added |

-| 1/2/2024 | [Create a more secure guest sharing environment](/microsoft-365/solutions/create-secure-guest-sharing-environment?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified |

-| 4/20/2023 | [Remove a former employee - Overview](/microsoft-365/admin/add-users/remove-former-employee?view=o365-worldwide) | modified |

-| 4/20/2023 | [Set an individual user's password to never expire](/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide) | modified |

-| 4/20/2023 | [Microsoft 365 Experience insights dashboard](/microsoft-365/admin/misc/experience-insights-dashboard?view=o365-worldwide) | modified |

-| 4/20/2023 | [What's new in the Microsoft 365 admin center?](/microsoft-365/admin/whats-new-in-preview?view=o365-worldwide) | modified |

-| 4/20/2023 | [Set up and configure Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-setup-configuration?view=o365-worldwide) | modified |

-| 4/20/2023 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |

-| 4/20/2023 | [Migrate to Microsoft Defender for Endpoint - Onboard](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-worldwide) | modified |

-| 4/20/2023 | [How Microsoft names threat actors](/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide) | modified |

-| 4/20/2023 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified |

-| 4/20/2023 | [Configure outbound spam policies](/microsoft-365/security/office-365-security/outbound-spam-policies-configure?view=o365-worldwide) | modified |

-| 4/20/2023 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide) | modified |

-| 4/20/2023 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide) | modified |

-| 4/20/2023 | [Manage clients for Microsoft Whiteboard in GCC High environments](/microsoft-365/whiteboard/manage-clients-gcc-high?view=o365-worldwide) | modified |

-| 1/2/2024 | [Manage and monitor priority accounts](/microsoft-365/admin/setup/priority-accounts?view=o365-worldwide) | modified |

-| 1/2/2024 | [Add several users at the same time to Microsoft 365 - Admin Help](/microsoft-365/enterprise/add-several-users-at-the-same-time?view=o365-worldwide) | modified |

-| 1/2/2024 | [Specify the cloud protection level for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure teams with protection for highly sensitive data](/microsoft-365/solutions/configure-teams-highly-sensitive-protection?view=o365-worldwide) | modified |

-| 1/2/2024 | [Basic Mobility and Security frequently-asked questions (FAQ)](/microsoft-365/admin/basic-mobility-security/frequently-asked-questions?view=o365-worldwide) | modified |

-| 1/2/2024 | [Manage device access settings in Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/manage-device-access-settings?view=o365-worldwide) | modified |

-| 1/2/2024 | [Upgrade your Office 2010 to Microsoft 365 - Microsoft 365 admin](/microsoft-365/admin/setup/upgrade-users-to-latest-office-client?view=o365-worldwide) | modified |

-| 1/2/2024 | [Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide) | modified |

-| 1/2/2024 | [Enable Conditional Access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure device discovery](/microsoft-365/security/defender-endpoint/configure-device-discovery?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure exclusions for files opened by specific processes](/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure Microsoft Defender Antivirus exclusions on Windows Server](/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure vulnerability email notifications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications?view=o365-worldwide) | modified |

-| 1/2/2024 | [Device discovery frequently asked questions](/microsoft-365/security/defender-endpoint/device-discovery-faq?view=o365-worldwide) | modified |

-| 1/2/2024 | [Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide) | modified |

-| 1/2/2024 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide) | modified |

-| 1/2/2024 | [Turn on exploit protection to help mitigate against attacks](/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide) | modified |

-| 1/2/2024 | [Exploit protection reference](/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide) | modified |

-| 1/2/2024 | [Apply mitigations to help prevent attacks through vulnerabilities](/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide) | modified |

-| 1/2/2024 | [Become a Microsoft Defender for Endpoint partner](/microsoft-365/security/defender-endpoint/get-started-partner-integration?view=o365-worldwide) | modified |

-| 1/2/2024 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-worldwide) | modified |

-| 1/2/2024 | [Investigate a user account in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-user?view=o365-worldwide) | modified |

-| 1/2/2024 | [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide) | modified |

-| 1/2/2024 | [Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm?view=o365-worldwide) | modified |

-| 1/2/2024 | [Set preferences for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide) | modified |

-| 1/2/2024 | [Create indicators](/microsoft-365/security/defender-endpoint/manage-indicators?view=o365-worldwide) | modified |

-| 1/2/2024 | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-worldwide) | modified |

-| 1/2/2024 | [Network device discovery and vulnerability management](/microsoft-365/security/defender-endpoint/network-devices?view=o365-worldwide) | modified |

-| 1/2/2024 | [Troubleshoot Microsoft Defender for Endpoint service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp?view=o365-worldwide) | modified |

-| 1/2/2024 | [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide) | modified |

-| 1/2/2024 | [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt?view=o365-worldwide) | modified |

-| 1/2/2024 | [Zero Trust with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/zero-trust-with-microsoft-defender-endpoint?view=o365-worldwide) | added |

-| 1/2/2024 | [Block vulnerable applications](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified |

-| 1/2/2024 | [Create and view exceptions for security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-exception?view=o365-worldwide) | modified |

-| 1/2/2024 | [Remediate vulnerabilities](/microsoft-365/security/defender-vulnerability-management/tvm-remediation?view=o365-worldwide) | modified |

-| 1/2/2024 | [BehaviorEntities table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-behaviorentities-table?view=o365-worldwide) | added |

-| 1/2/2024 | [BehaviorInfo table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-behaviorinfo-table?view=o365-worldwide) | added |

-| 1/2/2024 | [Zero Trust with Microsoft 365 Defender](/microsoft-365/security/defender/zero-trust-with-microsoft-365-defender?view=o365-worldwide) | modified |

-| 1/2/2024 | [Zero Trust deployment plan with Microsoft 365](/microsoft-365/security/microsoft-365-zero-trust?view=o365-worldwide) | modified |

-| 1/2/2024 | [Remediation actions in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-remediation-actions?view=o365-worldwide) | modified |

-| 1/2/2024 | [How EOP validates the From address to prevent phishing](/microsoft-365/security/office-365-security/anti-phishing-from-email-address-validation?view=o365-worldwide) | modified |

-| 1/2/2024 | [Attack simulation training deployment considerations and FAQ](/microsoft-365/security/office-365-security/attack-simulation-training-faq?view=o365-worldwide) | modified |

-| 1/2/2024 | [Create safe sender lists](/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide) | modified |

-| 1/2/2024 | [Detect and remediate the Outlook rules and custom forms injections attacks.](/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide) | modified |

-| 1/2/2024 | [Microsoft Defender for Office 365 email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page?view=o365-worldwide) | modified |

-| 1/2/2024 | [Zero Trust with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/zero-trust-with-microsoft-365-defender-office-365?view=o365-worldwide) | added |

-| 1/2/2024 | [Secure your business data with Microsoft 365 for business](/microsoft-365/business-premium/secure-your-business-data?view=o365-worldwide) | modified |

-| 1/2/2024 | [End-user notifications for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-end-user-notifications?view=o365-worldwide) | modified |

-| 1/2/2024 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified |

-| 1/2/2024 | [Insights and reports Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights?view=o365-worldwide) | modified |

-| 1/2/2024 | [Landing pages in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-landing-pages?view=o365-worldwide) | added |

-| 1/2/2024 | [Login pages in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-login-pages?view=o365-worldwide) | modified |

-| 1/2/2024 | [Payload automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations?view=o365-worldwide) | modified |

-| 1/2/2024 | [Payloads in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide) | modified |

-| 1/2/2024 | [Simulation automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide) | modified |

-| 1/2/2024 | [Simulate a phishing attack with Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulations?view=o365-worldwide) | modified |

-| 1/2/2024 | [Training campaigns in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-training-campaigns?view=o365-worldwide) | modified |

-| 1/2/2024 | [Microsoft Defender for Office 365 support for Microsoft Teams (Preview)](/microsoft-365/security/office-365-security/mdo-support-teams-about?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure teams with protection for sensitive data](/microsoft-365/solutions/configure-teams-sensitive-protection?view=o365-worldwide) | modified |

-| 1/2/2024 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide) | modified |

-| 1/2/2024 | [Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc?view=o365-worldwide) | modified |

-| 1/2/2024 | [Microsoft 365 admin center Office activations reports](/microsoft-365/admin/activity-reports/microsoft-office-activations-ww?view=o365-worldwide) | modified |

-| 1/2/2024 | [Centralized Deployment FAQ](/microsoft-365/admin/manage/centralized-deployment-faq?view=o365-worldwide) | modified |

-| 1/2/2024 | [Determine if Centralized Deployment of add-ins works for your organization](/microsoft-365/admin/manage/centralized-deployment-of-add-ins?view=o365-worldwide) | modified |

-| 1/2/2024 | [Test and deploy Microsoft 365 Apps by partners in the Integrated apps portal](/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps?view=o365-worldwide) | modified |

-| 1/2/2024 | [Plan your setup of Microsoft 365 for business](/microsoft-365/admin/setup/plan-your-setup?view=o365-worldwide) | modified |

-| 1/2/2024 | [Performing Bulk SharePoint site Cross-tenant migrations (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-bulk-site-migration?view=o365-worldwide) | added |

-| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration FAQs (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-faqs?view=o365-worldwide) | added |

-| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 1 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step1?view=o365-worldwide) | added |

-| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 2 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step2?view=o365-worldwide) | added |

-| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 3 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step3?view=o365-worldwide) | added |

-| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 4 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step4?view=o365-worldwide) | added |

-| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 5 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5?view=o365-worldwide) | added |

-| 1/2/2024 | [SharePoint site Cross-tenant SharePoint migration Step 6 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6?view=o365-worldwide) | added |

-| 1/2/2024 | [SharePoint Cross-Tenant User Data Migration Step 7 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step7?view=o365-worldwide) | added |

-| 1/2/2024 | [Cross-tenant SharePoint site migration overview (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration?view=o365-worldwide) | added |

-| 1/2/2024 | [Tailor Teams apps for your frontline workers](/microsoft-365/frontline/pin-teams-apps-based-on-license?view=o365-worldwide) | modified |

-| 4/10/2023 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified |

-| 1/2/2024 | [Microsoft 365 admin center activity reports](/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide) | modified |

-| 1/2/2024 | [Download perpetual software and product license keys bought through the Cloud Solution Provider (CSP) program](/microsoft-365/admin/setup/download-software-licenses-csp?view=o365-worldwide) | modified |

-| 1/2/2024 | [How to secure your business data with Microsoft 365](/microsoft-365/business-premium/secure-your-business-data?view=o365-worldwide) | modified |

-| 1/2/2024 | [Manage auto-claim policies](/microsoft-365/commerce/licenses/manage-auto-claim-policies?view=o365-worldwide) | modified |

-| 1/2/2024 | [Overview and Definitions](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide) | modified |

-| 1/2/2024 | [Microsoft 365 Network Insights](/microsoft-365/enterprise/office-365-network-mac-perf-insights?view=o365-worldwide) | modified |

-| 1/2/2024 | [Set up and configure Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-setup-configuration?view=o365-worldwide) | modified |

-| 1/2/2024 | [Onboard non-Windows devices to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows?view=o365-worldwide) | modified |

-| 1/2/2024 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide) | modified |

-| 1/2/2024 | [Turn pronouns on or off for your organization in the Microsoft 365 admin center](/microsoft-365/admin/add-users/turn-pronouns-on-or-off?view=o365-worldwide) | modified |

-| 1/2/2024 | [Service advisories for auto-expanding archive utilization in Exchange Online monitoring](/microsoft-365/enterprise/microsoft-365-exo-archive-advisory?view=o365-worldwide) | modified |

-| 1/2/2024 | [Printer Protection frequently asked questions](/microsoft-365/security/defender-endpoint/printer-protection-frequently-asked-questions?view=o365-worldwide) | modified |

-| 1/2/2024 | [Schedule regular quick and full scans with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans?view=o365-worldwide) | modified |

-| 1/2/2024 | [Investigate alerts in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-alerts?view=o365-worldwide) | modified |

-| 1/2/2024 | [Scenarios and use cases for Microsoft Syntex](/microsoft-365/syntex/adoption-scenarios) | modified |

-| 1/2/2024 | [Document compliance with Microsoft Syntex](/microsoft-365/syntex/scenario-document-compliance) | added |

-| 1/2/2024 | [Find content details with Microsoft Syntex](/microsoft-365/syntex/scenario-find-content-details) | added |

-| 1/2/2024 | [Generate documents in bulk with Microsoft Syntex](/microsoft-365/syntex/scenario-generate-documents-bulk) | added |

-| 1/2/2024 | [Automatically generate routine documents with Microsoft Syntex](/microsoft-365/syntex/scenario-generate-routine-documents) | added |

-| 1/2/2024 | [Handle incoming documents with Microsoft Syntex](/microsoft-365/syntex/scenario-handle-incoming-documents) | added |

-| 1/2/2024 | [Make information easier to find with Microsoft Syntex](/microsoft-365/syntex/scenario-organize-repositories) | added |

-| 1/2/2024 | [Set up Microsoft 365 Business Premium](/microsoft-365/business-premium/m365-business-premium-setup?view=o365-worldwide) | renamed |

-| 1/2/2024 | [Setup overview for Microsoft 365 for Campaigns](/microsoft-365/business-premium/m365-campaigns-setup?view=o365-worldwide) | modified |

-| 1/2/2024 | [Why choose Microsoft 365 Business Premium? Productivity and security](/microsoft-365/business-premium/why-choose-microsoft-365-business-premium?view=o365-worldwide) | modified |

-| 3/23/2023 | [Microsoft Teams SMS notifications usage report](/microsoft-365/frontline/sms-notifications-usage-report?view=o365-worldwide) | added |

-| 3/23/2023 | [Overview of the Vulnerability management page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-vulnerability-management-page-overview?view=o365-worldwide) | added |

-| 3/23/2023 | [Requirements for Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-requirements?view=o365-worldwide) | modified |

-| 3/23/2023 | [Deploy, manage, and report on Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus?view=o365-worldwide) | modified |

-| 1/2/2024 | [Microsoft Defender Threat Intelligence in Microsoft 365 Defender](/microsoft-365/security/defender/defender-threat-intelligence?view=o365-worldwide) | added |

-| 1/2/2024 | [Microsoft Defender for Office 365 support for Microsoft Teams (Preview)](/microsoft-365/security/office-365-security/mdo-support-teams-about?view=o365-worldwide) | added |

-| 1/2/2024 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) | modified |

-| 1/2/2024 | [User reported message settings in Teams](/microsoft-365/security/office-365-security/submissions-teams?view=o365-worldwide) | added |

-| 1/2/2024 | [The Teams Message Entity Panel in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/teams-message-entity-panel?view=o365-worldwide) | added |

-| 1/2/2024 | [Zero-hour auto purge in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure advanced features in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/advanced-features?view=o365-worldwide) | modified |

-| 1/2/2024 | [Restore a deleted Microsoft 365 group](/microsoft-365/admin/create-groups/restore-deleted-group?view=o365-worldwide) | modified |

-| 1/2/2024 | [Anti-spam message headers](/microsoft-365/security/office-365-security/message-headers-eop-mdo?view=o365-worldwide) | modified |

-| 1/2/2024 | [Migrate to Microsoft Defender for Office 365 Phase 2: Setup](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup?view=o365-worldwide) | modified |

-| 1/2/2024 | [Outbound delivery pools](/microsoft-365/security/office-365-security/outbound-spam-high-risk-delivery-pool-about?view=o365-worldwide) | modified |

-| 1/2/2024 | [Step-by-step threat protection stack in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365?view=o365-worldwide) | modified |

-| 1/2/2024 | [Threat Explorer and Real-time detections basics in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/real-time-detections?view=o365-worldwide) | modified |

-| 1/2/2024 | [Remediate malicious email that was delivered in Office 365](/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365?view=o365-worldwide) | modified |

-| 1/2/2024 | [Complete Safe Links overview for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide) | modified |

-| 1/2/2024 | [Secure by default in Office 365](/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide) | modified |

-| 1/2/2024 | [Steps to quickly set up the Standard or Strict preset security policies for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies?view=o365-worldwide) | modified |

-| 1/2/2024 | [Reduce the attack surface for Microsoft Teams](/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide) | modified |

-| 1/2/2024 | [Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work?view=o365-worldwide) | modified |

-| 1/2/2024 | [Frequently asked questions (FAQs) on tamper protection](/microsoft-365/security/defender-endpoint/faqs-on-tamper-protection?view=o365-worldwide) | added |

-| 1/2/2024 | [Troubleshoot problems with tamper protection](/microsoft-365/security/defender-endpoint/troubleshoot-problems-with-tamper-protection?view=o365-worldwide) | added |

-| 1/2/2024 | [Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management (Preview)](/microsoft-365/frontline/shifts-connector-blue-yonder-admin-center-manage?view=o365-worldwide) | modified |

-| 1/2/2024 | [Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions (Preview)](/microsoft-365/frontline/shifts-connector-ukg-admin-center-manage?view=o365-worldwide) | modified |

-| 1/2/2024 | [Use PowerShell to manage your Shifts connection to UKG Dimensions](/microsoft-365/frontline/shifts-connector-ukg-powershell-manage?view=o365-worldwide) | modified |

-| 1/2/2024 | [Use the Shifts connector wizard to connect Shifts to UKG Dimensions (Preview)](/microsoft-365/frontline/shifts-connector-wizard-ukg?view=o365-worldwide) | modified |

-| 1/2/2024 | [Configure and validate Microsoft Defender Antivirus network connections](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide) | modified |

-| 1/3/2024 | [How Microsoft names threat actors](/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide) | modified |

-| 1/3/2024 | Create a B2B extranet with managed guests | removed |

-| 1/3/2024 | [Best practices for unauthenticated sharing](/microsoft-365/solutions/best-practices-anonymous-sharing?view=o365-worldwide) | modified |

-| 1/3/2024 | [Understand end-of-sale products in the Microsoft 365 admin center](/microsoft-365/commerce/subscriptions/understand-eos-products?view=o365-worldwide) | added |

-| 1/3/2024 | [Integrate Microsoft Reflect LTI with D2L Brightspace](/microsoft-365/lti/reflect-lti-brightspace?view=o365-worldwide) | added |

-| 1/3/2024 | [Integrate Microsoft Reflect LTI with Moodle](/microsoft-365/lti/reflect-lti-moodle?view=o365-worldwide) | added |

-| 1/3/2024 | [Change your endpoint security subscription](/microsoft-365/security/defender-business/mdb-manage-subscription?view=o365-worldwide) | modified |

-| 1/3/2024 | [Protect and govern personal data ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection-protect-govern?view=o365-worldwide) | modified |

-| 1/3/2024 | [Stay on track with data privacy regulations ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection-regulations?view=o365-worldwide) | modified |

-| 1/4/2024 | [Rerun queries in query history](/microsoft-365/security/defender/advanced-hunting-query-history?view=o365-worldwide) | added |

-| 1/4/2024 | [Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI](/microsoft-365/security/defender/defender-xdr-custom-reports?view=o365-worldwide) | added |

-| 1/4/2024 | [Work with advanced hunting query results in Microsoft Defender XDR](/microsoft-365/security/defender/advanced-hunting-query-results?view=o365-worldwide) | modified |

-| 1/4/2024 | [Import roles to Microsoft Defender XDR Unified role-based access control (RBAC)](/microsoft-365/security/defender/import-rbac-roles?view=o365-worldwide) | modified |

-| 1/4/2024 | [Try out Microsoft Syntex and explore its features](/microsoft-365/syntex/trial-syntex) | modified |

-| 1/4/2024 | [Try out Microsoft Syntex and explore its services](/microsoft-365/syntex/promo-syntex) | renamed |

-| 1/5/2024 | [Understand the Microsoft 365 E3 and E5 Extra Features license](/microsoft-365/commerce/licenses/e3-extra-features-licenses?view=o365-worldwide) | modified |

-| 1/5/2024 | [Integrate Microsoft Reflect LTI with Blackboard Learn](/microsoft-365/lti/reflect-lti-blackboard?view=o365-worldwide) | added |

-| 1/5/2024 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified |

-| 1/5/2024 | [What's new in Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-whatsnew?view=o365-worldwide) | modified |

-| 1/5/2024 | [Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-sys-ext?view=o365-worldwide) | modified |

-| 1/5/2024 | [Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices?view=o365-worldwide) | modified |

-| 1/5/2024 | [Migrate devices to use the streamlined onboarding method](/microsoft-365/security/defender-endpoint/migrate-devices-streamlined?view=o365-worldwide) | modified |

-| 1/5/2024 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide) | modified |

-| 1/5/2024 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-worldwide) | modified |

-| 1/5/2024 | [UEFI scanning in Defender for Endpoint](/microsoft-365/security/defender-endpoint/uefi-scanning-in-defender-for-endpoint?view=o365-worldwide) | modified |

-| 1/5/2024 | [Connect Microsoft Sentinel to Microsoft Defender XDR (preview)](/microsoft-365/security/defender/microsoft-sentinel-onboard?view=o365-worldwide) | modified |

-| 1/5/2024 | [Advanced hunting in multi-tenant management in Microsoft Defender XDR](/microsoft-365/security/defender/mto-advanced-hunting?view=o365-worldwide) | modified |

-| 1/5/2024 | [Analyze your first incident in Microsoft Defender XDR](/microsoft-365/security/defender/respond-first-incident-analyze?view=o365-worldwide) | modified |

-| 1/5/2024 | [Investigate malicious email that was delivered in Microsoft 365, Find and investigate malicious email](/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered?view=o365-worldwide) | modified |

-keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable

-Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 or Windows 11 device.

-It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).

-**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.

-By default, Microsoft Defender Antivirus will enable itself on a Windows 10 or a Windows 11 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly.

-If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device:

-If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options.

-Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning.

-Sliding the switch to **On** will show the standard Microsoft Defender Antivirus options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.

- - [RHEL and variants (CentOS, Fedora, Oracle Linux and Amazon Linux 2)](#rhel-and-variants-centos-fedora-oracle-linux-and-amazon-linux-2-1)

- - [RHEL and variants (CentOS, Fedora, Oracle Linux and Amazon Linux 2)](#rhel-and-variants-centos-fedora-oracle-linux-and-amazon-linux-2)

-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.

-### RHEL and variants (CentOS, Fedora, Oracle Linux and Amazon Linux 2)

- For example, if you are running CentOS 7 and want to deploy Defender for Endpoint on Linux from the *prod* channel:

- For example, if you are running SLES 12 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel:

- For example, if you are running Ubuntu 18.04 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel:

-### RHEL and variants (CentOS, Fedora, Oracle Linux and Amazon Linux 2)

- If you're running RHEL 8.x or Ubuntu 20.04 or higher, you will need to use `python3`.

- For the rest of distros and versions, you will need to use `python`.

-4. Check the health status of the product by running the following command. A return value of `1` denotes that the product is functioning as expected:

- - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):

- If it is not enabled, execute the following command:

-If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.

-> Oracle Linux 8.8 with kernel version 5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64 will result in kernel hang when eBPF is enabled as supplementary subsystem provider. This kernel version should not be used for eBPF mode. Refer to Troubleshooting and Diagnostics section for mitigation steps.

-&ensp;Engine version: **1.1.23110.4**<br/>

-&ensp;Signature version: **1.403.1579.0**<br/>

-## Schedule a scan with *launchd*

-You can create a scanning schedule using the *launchd* daemon on a macOS device.

-For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website.

-### Schedule a quick scan

-The following code shows the schema you need to use to schedule a quick scan.

- ```XML

- <?xml version="1.0" encoding="UTF-8"?>

- <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"

- "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

- <plist version="1.0">

- <dict>

- <key>Label</key>

- <string>com.microsoft.wdav.schedquickscan</string>

- <key>ProgramArguments</key>

- <array>

- <string>sh</string>

- <string>-c</string>

- <string>/usr/local/bin/mdatp scan quick</string>

- </array>

- <key>RunAtLoad</key>

- <true/>

- <key>StartCalendarInterval</key>

- <dict>

- <key>Hour</key>

- <integer>2</integer>

- <key>Minute</key>

- <integer>0</integer>

- <key>Weekday</key>

- <integer>5</integer>

- </dict>

- <key>WorkingDirectory</key>

- <string>/usr/local/bin/</string>

- </dict>

- </plist>

- ```

-2. Save the file as *com.microsoft.wdav.schedquickscan.plist* to the /Library/LaunchDaemons directory.

-### Schedule a full scan

- ```XML

- <?xml version="1.0" encoding="UTF-8"?>

- <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"

- "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

- <plist version="1.0">

- <dict>

- <key>Label</key>

- <string>com.microsoft.wdav.schedfullscan</string>

- <key>ProgramArguments</key>

- <array>

- <string>sh</string>

- <string>-c</string>

- <string>/usr/local/bin/mdatp scan full</string>

- </array>

- <key>RunAtLoad</key>

- <true/>

- <key>StartCalendarInterval</key>

- <dict>

- <key>Hour</key>

- <integer>2</integer>

- <key>Minute</key>

- <integer>50</integer>

- <key>Weekday</key>

- <integer>5</integer>

- </dict>

- <key>WorkingDirectory</key>

- <string>/usr/local/bin/</string>

- </dict>

- </plist>

- ```

-2. Save the file as *com.microsoft.wdav.schedfullscan.plist* to the /Library/LaunchDaemons directory.

-

-### Load your file

-1. Open **Terminal**.

-2. Enter the following commands to load your file:

- ```bash

- chown root:wheel /Library/LaunchDaemons/com.microsoft.wdav.sched*

- chmod 644 /Library/LaunchDaemons/com.microsoft.wdav.sched*

- xattr -c /Library/LaunchDaemons/com.microsoft.wdav.sched*

- launchctl load -w /Library/LaunchDaemons/<your file name.plist>

- ```

-3. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the previous examples, the scan runs at 2:50 AM every Friday.

- - The `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. The range is between 1 and 7 with 7 representing Sunday.

- - The `Day` value of `StartCalendarInterval` uses an integer to indicate the third day of the month. The range is between 1 and 31.

- - The `Hour` value of `StartCalendarInterval` uses an integer to indicate the second hour of the day. The range is between 0 and 23.

- The `Minute` value of `StartCalendarInterval` uses an integer to indicate fifty minutes of the hour. The range is between 0 and 59.

-

-

- > [!IMPORTANT]

- > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode.

- >

- > If the device is turned off, the scan will run at the next scheduled scan time.

-## Schedule a scan with Intune

-You can also schedule scans with Microsoft Intune. The runMDATPQuickScan.sh shell script available at [Scripts for Microsoft Defender for Endpoint](https://github.com/microsoft/shell-intune-samples/tree/master/macOS/Config/MDATP) will persist when the device resumes from sleep mode.

-See [Use shell scripts on macOS devices in Intune](/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise.

-Tamper protection is turned on in block mode by default to help secure your Mac against threats. To learn more, see [Protect macOS security settings with tamper protection](built-in-protection.md).

-Apple has fixed an issue on macOS [Ventura upgrade](<https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes>), which is fixed with the latest OS update. The issue impacts Microsoft Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly.

-> To check, run the [mdatp health --details device_control](mac-device-control-overview.md#status) command, and inspect the `active` property, it should not contain "v1".

- - Users must update Microsoft Defender for Endpoint for Mac to version 101.59.50 (or newer) prior to updating their devices to macOS Monterey 12.3 (or newer). This minimal version 101.59.50 is a prerequisite to eliminating Python-related issues with Microsoft Defender for Endpoint for Mac on macOS Monterey.

- - For remote deployments, existing MDM setups must be updated to Microsoft Defender for Endpoint for Mac version 101.59.50 (or newer). Pushing via MDM an older Microsoft Defender for Endpoint for Mac version to macOS Monterey 12.3 (or newer) will result in an installation failure.

-Microsoft Defender for Endpoint for Linux includes antimalware and endpoint detection and response (EDR) capabilities.

-> [!IMPORTANT]

-> These actions are not currently supported for devices running macOS or Linux. Use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md)

-|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes |  |  |  ^[4] |  ^[4] |

-Users with access to Security Copilot have access to this capability in advanced hunting.

-> DomainKeys Identified Mail (DKIM) ensures that destination email systems trust messages sent outbound from your custom domain.

-> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys through Microsoft Defender XDR: <https://security.microsoft.com/threatpolicy>, or navigate to **Policy & rules** \> **Threat policies** \> \> **Rules** section \> **DKIM**.

-keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident response playbooks, remediate incident, remediation actions, incident solution, resolve incidents

-keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, powershell, powershell analysis, bash, batch, bash analysis, batch analysis, code analysis, code analyzer

-# Analyze scripts and codes with Microsoft Security Copilot in Microsoft Defender XDR

- - [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

- > - Disabling anti-spoofing protection only disables _implicit_ spoofing protection from [composite authentication](email-authentication-about.md#composite-authentication) checks. For information about how _explicit_ [DMARC](email-authentication-dmarc-configure.md) checks are affected by anti-spoofing protection and the configuration of the DMARC policy (`p=quarantine` or `p=reject` in the DMARC record), see the [Spoof protection and sender DMARC policies](#spoof-protection-and-sender-dmarc-policies) section.

-> If the MX record for the domain points to a third-party service or device that sits in front of Microsoft 365, the **Honor DMARC policy** setting is applied only if [Enhanced Filtering for Connectors](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) is enabled for the connector that receives inbound messages.

-> Customers can override the **Honor DMARC policy** setting for specific email messages and/or senders using tenant and user overrides.

-If you're an admin who currently sends messages to Microsoft 365, you need to ensure that your email is properly authenticated. Otherwise, it might be marked as spam or phishing. For more information, see [Solutions for legitimate senders who are sending unauthenticated email](email-authentication-about.md#solutions-for-legitimate-senders-who-are-sending-unauthenticated-email).

- - **Allowed**: The domain failed explicit email authentication checks [SPF](email-authentication-anti-spoofing.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md). However, the domain passed our implicit email authentication checks ([composite authentication](email-authentication-about.md#composite-authentication)). As a result, no anti-spoofing action was taken on the message.

- - [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

- - **SPF passed**: The sender was authenticated by the [Sender Policy Framework (SPF)](email-authentication-anti-spoofing.md). A sender that doesn't pass SPF validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender.

- - **DKIM passed**: The sender was authenticated by [Domain Keys Identified Mail (DKIM)](email-authentication-dkim-support-about.md). A sender that doesn't pass DKIM validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender.

-description: Admins can learn how EOP uses email authentication (SPF, DKIM, and DMARC) to help prevent spoofing, phishing, and spam.

-# Email authentication in EOP

-Email authentication (also known as _email validation_) is a group of standards that tries to stop email messages from forged senders (also known as _spoofing_). Microsoft 365 uses the following standards to verify inbound email:

-Email authentication verifies that email messages from a sender (for example, laura@contoso.com) are legitimate and come from expected sources for that email domain (for example, contoso.com).

-The rest of this article explains how these technologies work, and how EOP uses them to check inbound email. For information about configuring SPF, DKIM, and DMARC records in DNS, see the previous links.

-## Use email authentication to help prevent spoofing

-DMARC prevents spoofing by examining the **From** address in messages. The **From** address is the sender's email address that users see in their email client. Destination email organizations can also verify that the email domain has passed SPF or DKIM. In other words, the source domain is a valid source for senders in the **From** address, so the sender's email address isn't spoofed.

-However, DNS records for SPF, DKIM, and DMARC (collectively known as _email authentication policies_) are optional. Domains with strong email authentication policies are protected from spoofing. But domains with weaker email authentication policies or no policy at all are prime targets for being spoofed.

-Lack of strong email authentication policies is a large problem. While organizations might not understand how email authentication works, attackers fully understand and they take advantage. Because of phishing concerns and the limited adoption of strong email authentication policies, Microsoft uses _implicit email authentication_ to check inbound email.

-Implicit email authentication is an extension of regular email authentication policies. These extensions include: sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques. In the absence of other signals from these extensions, messages sent from domains that don't use email authentication policies are marked as spoofing.

-To see Microsoft's general announcement, see [A Sea of Phish Part 2 - Enhanced Anti-spoofing in Microsoft 365](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Schooling-A-Sea-of-Phish-Part-2-Enhanced-Anti-spoofing/ba-p/176209).

-## Composite authentication

-If a domain doesn't have traditional SPF, DKIM, and DMARC records, those record checks don't communicate enough authentication status information. Therefore, Microsoft has developed an algorithm for implicit email authentication. This algorithm combines multiple signals into a single value called _composite authentication_, or `compauth` for short. The `compauth` value is stamped into the **Authentication-Results** header in the message headers.

-```text

-Authentication-Results:

- compauth=<fail | pass | softpass | none> reason=<yyy>

-These values are explained at [Authentication-results message header](message-headers-eop-mdo.md#authentication-results-message-header).

-By examining the message headers, admins and users can determine how Microsoft 365 determined that the sender is spoofed.

-## Why email authentication isn't always enough to stop spoofing

-Relying only on email authentication records to determine if an incoming message is spoofed has the following limitations:

-Composite authentication can address these limitations by passing messages that would otherwise fail email authentication checks.

-For simplicity, the following examples concentrate on email authentication results. Other back-end intelligence factors could identify messages that pass email authentication as spoofed, or messages that fail email authentication as legitimate.

-For example, the fabrikam.com domain has no SPF, DKIM, or DMARC records. Messages from senders in the fabrikam.com domain can fail composite authentication (note the `compauth` value and reason):

-```text

-Authentication-Results: spf=none (sender IP is 10.2.3.4)

- smtp.mailfrom=fabrikam.com; contoso.com; dkim=none

- (message not signed) header.d=none; contoso.com; dmarc=none

- action=none header.from=fabrikam.com; compauth=fail reason=001

-From: chris@fabrikam.com

-To: michelle@contoso.com

-```

-If fabrikam.com configures an SPF without a DKIM record, the message can pass composite authentication. The domain that passed SPF checks is aligned with the domain in the From address:

-```text

-Authentication-Results: spf=pass (sender IP is 10.2.3.4)

- smtp.mailfrom=fabrikam.com; contoso.com; dkim=none

- (message not signed) header.d=none; contoso.com; dmarc=bestguesspass

- action=none header.from=fabrikam.com; compauth=pass reason=109

-From: chris@fabrikam.com

-To: michelle@contoso.com

-```

-If fabrikam.com configures a DKIM record without an SPF record, the message can pass composite authentication. The domain in the DKIM signature is aligned with the domain in the From address:

-```text

-Authentication-Results: spf=none (sender IP is 10.2.3.4)

- smtp.mailfrom=fabrikam.com; contoso.com; dkim=pass

- (signature was verified) header.d=outbound.fabrikam.com;

- contoso.com; dmarc=bestguesspass action=none

- header.from=fabrikam.com; compauth=pass reason=109

-From: chris@fabrikam.com

-To: michelle@contoso.com

-```

-If the domain in SPF or the DKIM signature doesn't align with the domain in the From address, the message can fail composite authentication:

-```text

-Authentication-Results: spf=none (sender IP is 192.168.1.8)

- smtp.mailfrom=maliciousdomain.com; contoso.com; dkim=pass

- (signature was verified) header.d=maliciousdomain.com;

- contoso.com; dmarc=none action=none header.from=contoso.com;

- compauth=fail reason=001

-From: chris@contoso.com

-To: michelle@fabrikam.com

-```

-## Solutions for legitimate senders who are sending unauthenticated email

-Microsoft 365 keeps track of who is sending unauthenticated email to your organization. If the service thinks the sender isn't legitimate, it marks messages from this sender as a composite authentication failure. To avoid this verdict, you can use the recommendations in this section.

-### Configure email authentication for domains you own

-You can use this method to resolve intra-org spoofing and cross-domain spoofing in cases where you own or interact with multiple tenants. It also helps resolve cross-domain spoofing where you send to other customers within Microsoft 365 or third parties that are hosted by other providers.

-Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and DMARC records. However, that information is available online. There are also third party companies dedicated to helping your organization set up email authentication records.

-#### You don't know all sources for your email

-Many domains don't publish SPF records because they don't know all of the email sources for messages in their domain. Start by publishing an SPF record that contains all of the email sources you know about (especially where your corporate traffic is located), and publish the enforcement rule value "soft fail" (`~all`) in the SPF record. For example:

-fabrikam.com IN TXT "v=spf1 include:spf.fabrikam.com ~all"

-This example means that email from your corporate infrastructure passes email authentication, but email from unknown sources falls back to "soft fail". Typically, email servers are configured to deliver these messages.

-Microsoft 365 treats inbound email from your corporate infrastructure as authenticated. Email from unidentified sources might still be marked as spoof if it fails implicit authentication. However, this behavior is still an improvement from all email being marked as spoof by Microsoft 365.

-Once you've gotten started with an SPF fallback policy of `~all`, you can gradually discover and include more email sources for your messages, and then update your SPF record with a stricter policy.

-### Configure permitted senders of unauthenticated email

-You can also use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md#override-the-spoof-intelligence-verdict) and the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders) to permit senders to transmit unauthenticated messages to your organization.

-For external domains, the spoofed user is the domain in the From address, while the sending infrastructure is one of the following values:

-### Create an allow entry for the sender/recipient pair

-To bypass spam filtering for some senders, but not malware or high confidence phishing, see [Create safe sender lists in Microsoft 365](create-safe-sender-lists-in-office-365.md).

-### Ask the sender to configure email authentication for domains you don't own

-Because of the problem of spam and phishing, Microsoft recommends email authentication for all email organizations. Instead of configuring manual overrides in your organization, you can ask an admin in the source domain to configure their email authentication records.

- - On-premises email servers.

- - Email sent from a software-as-a-service (SaaS) provider.

- - Email sent from a cloud-hosting service (Microsoft Azure, GoDaddy, Rackspace, Amazon Web Services, etc.).

-While it might be difficult at first to get sending domains to authenticate, but successful email delivery compels them to do so as more email filters junk or even reject their email. Also, their participation can help in the fight against phishing, and can reduce the possibility of phishing in their organization or organizations that they send email to.

-#### Information for infrastructure providers (ISPs, ESPs, or cloud hosting services)

-If you host a domain's email or provide hosting infrastructure that can send email, you should do the following steps:

-Delivery to Microsoft isn't guaranteed, even if you authenticate email originating from your platform. But, the configuration ensures that Microsoft doesn't junk your email because it isn't authenticated.

-## Related links

-For more information about service providers best practices, see [M3AAWG Mobile Messaging Best Practices for Service Providers](https://www.m3aawg.org/sites/default/files/m3aawg-mobile-messaging-best-practices-service-providers-2015-08_0.pdf).

-Learn how Office 365 uses SPF and supports DKIM validation:

- - CSH

- - MET150

- - m365-security

- - tier2

- - seo-marvel-apr2020

-description: Learn how Microsoft 365 uses the Sender Policy Framework (SPF) TXT record in DNS to ensure that destination email systems trust messages sent from your custom domain.

-appliesto:

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>

-# How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing

-An _SPF TXT record_ is a record in DNS that helps prevent spoofing and phishing by identifying valid sources of messages from senders in the domain. SPF validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain.

-> [!NOTE]

-> SPF record types were deprecated by the Internet Engineering Task Force (IETF) in 2014. Instead, ensure that you use TXT records in DNS to publish your SPF information. The rest of this article uses the term SPF TXT record for clarity.

-Domain administrators publish SPF information in TXT records in DNS. The SPF information identifies authorized outbound email servers for the domain. Destination email systems verify that messages from senders in the domain came from authorized outbound email servers. If you're already familiar with SPF or you have a simple email environment, you can go to [Set up SPF in Microsoft 365 to help prevent spoofing](email-authentication-spf-configure.md) to create the SPF record for your domain. If your email environment isn't fully hosted in Microsoft 365, if you want more information about how SPF works, or if you want to troubleshoot SPF for Microsoft 365, keep reading.

-> [!NOTE]

-> Previously, SharePoint online required an additional SPF TXT record in your custom domain. This additional SPF TXT record is no longer required. This change should reduce the risk of SharePoint Online notification messages ending up in the Junk Email folder. If you receive the "too many lookups" error, modify your SPF TXT record as described in [Set up SPF in Microsoft 365 to help prevent spoofing](email-authentication-spf-configure.md).

-## How SPF works to prevent spoofing and phishing in Microsoft 365

-SPF determines whether or not a sender is permitted to send on behalf of a domain. If the message source isn't valid for the domain (the message fails the SPF check on the destination email server), the spam policy configured on the destination email server determines what to do with the message.

-A valid SPF TXT record contains the following elements:

- The destination email server also does a DNS lookup on the SPF TXT record for the specified external domains (contoso.net, then contoso.org), and then does more lookups for any other domains included in the DNS TXT records for _those_ domains. To help prevent denial of service (DoS) attacks, the maximum number of DNS lookups for a single email message is 10. Each `include:` statement in the chain of DNS TXT records counts as one DNS lookup. For tips on how to avoid this condition, see the [Troubleshooting: Best practices for SPF in Microsoft 365](#troubleshooting-best-practices-for-spf-in-microsoft-365) section later in this article.

-These elements are described in detail later in this article.

-SPF works best when the path from sender to receiver is direct. For example:

-The message passes the SPF check and is authenticated at woodgrovebank.com if IP address #1 is in the SPF TXT record for contoso.com.

-In this example, an attacker decides to spoof mail from contoso.com:

-The message fails the SPF check at woodgrovebank.com, and woodgrovebank.com might choose to mark the message as spam because IP address #12 isn't in the SPF TXT record for contoso.com.

-One drawback of SPF is that it doesn't work on forwarded email. For example, a user at woodgrovebank.com has set up a forwarding rule to send all email to an outlook.com account:

-The message originally passes the SPF check at woodgrovebank.com, but it fails the SPF check at outlook.com because IP #25 isn't in contoso.com's SPF TXT record. Outlook.com might then mark the message as spam. To work around this problem, use SPF with other email authentication methods, such as [DKIM](email-authentication-dkim-configure.md) and [DMARC](email-authentication-dmarc-configure.md).

-The rest of this article explains the elements of an SPF TXT record and describes how to create SPF TXT records in Microsoft 365.

-## Create SPF TXT records for Microsoft 365

-Use the information in this article to create the SPF TXT record for your custom domain. Although there are other syntax options that aren't mentioned here, this article describes the most commonly used options.

-For information about the domains you need to include for Microsoft 365, see [External DNS records required for SPF](/microsoft-365/enterprise/external-domain-name-system-records). Use the [step-by-step instructions](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider#add-or-edit-an-spf-txt-record-to-help-prevent-email-spam-outlook-exchange-online) for updating SPF (TXT) records at your domain registrar.

-### SPF TXT record syntax for Microsoft 365

-A typical SPF TXT record has the following syntax:

-```text

-v=spf1 [<ip4>|<ip6>:<IPAddress1> <ip4>|<ip6>:<IPAddress2>... <ip4>|<ip6>:<AddressN>] [include:<DomainName1> include:<DomainName1>... include:<DomainNameN>] <enforcement rule>

-```

-For example:

-```text

-v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 include:spf.protection.outlook.com -all

-```

- - `-all`: Hard fail. Mark the message with 'hard fail' in the message envelope and follow the destination email server's configured spam policy for this type of message. We recommend this value in the following scenarios:

- - You know all of the authorized IP addresses for mail in your domain, and those IP addresses are listed in the SPF TXT record.

- - You're only using SPF, not DMARC or DKIM.

- - `~all`: Soft fail. Mark the message with 'soft fail' in the message envelope. Typically, email servers are configured to deliver these messages. Most end users don't see this mark. We recommend this value in the following scenarios only; otherwise, we recommend `-all`:

- - You're unsure if you have the complete list authorized IP addresses for mail in your domain.

- - You're using DMARC with `p=quarantine` or `p=reject`.

- - `?all`: Neutral. Do nothing (don't mark the message envelope). Used for testing SPF. We don't recommend using this value in your production environment.

-### Example: SPF TXT record when all mail is sent by Microsoft 365

-If you have mailboxes in Microsoft 365, the SPF TXT record for your custom domain must contain the value `include:spf.protection.outlook.com`. If no other devices, services, or third-party services (for example, bulk mailing services) are authorized to send email from your domain, use the enforcement value `-all` (hard fail) as previously described. Your SPF TXT record looks like this:

-```text

-v=spf1 include:spf.protection.outlook.com -all

-```

-### Example: SPF TXT record in hybrid environments

-In hybrid environments with on-premises mailboxes and mailboxes in Microsoft 365, you also need to specify the IP addresses of all email servers, devices, or third-party services that are authorized to send email from your domain. In this example, that's 192.168.0.1, 192.168.0.2, and 192.168.0.3. If you're confident that you've identified all authorized email sources for your domain, use the enforcement value `-all` (hard fail). Your SPF TXT record looks something like this:

-```text

-v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 ip4:192.168.0.3 include:spf.protection.outlook.com -all

-```

-## Next steps

-Follow the steps in [Set up SPF in Microsoft 365 to help prevent spoofing](email-authentication-spf-configure.md) to add the SPF TXT record for your custom domain at your domain registrar.

-To help protect against phishing and spoofing techniques that SPF can't, you should also configure DKIM and DMARC DNS records in your domain. To get started, see [Use DKIM to validate outbound email sent from your custom domain in Microsoft 365](email-authentication-dkim-configure.md) and [Use DMARC to validate email in Microsoft 365](email-authentication-dmarc-configure.md).

-## Troubleshooting: Best practices for SPF in Microsoft 365

-A domain supports only one SPF TXT record. Multiple DNS TXT records for the same domain cause a DNS lookup loop that makes SPF fail. To avoid this scenario, you can create a separate DNS TXT record for each subdomain. For example, create one DNS TXT record for contoso.com and another DNS TXT record for bulkmail.contoso.com.

-As previously described, if an email message causes more than 10 DNS lookups for SPF, the destination email server responds with a permanent error (also called a _permerror_) that causes the message to fail SPF. The destination email server might also return the message in a non-delivery report (also known as an NDR or _bounce message_) that contains one of the following errors:

-To avoid these errors, you can require users in your organization to send bulk email from a subdomain that's designed for that purpose (for example, bulkmail.contoso.com). You then create a different SPF TXT record for the subdomain that includes the bulk email sources. Most bulk email senders have a specific domain or subdomain that you need to add as an `include:` value in your SPF TXT record. For example, exacttarget.com directs you add or use `include:cust-spf.exacttarget.com` in your SPF TXT record.

-## View your current SPF TXT record and determine the number of lookups that it requires

-You can use nslookup to view your DNS records, including your SPF TXT record. There are many free, online tools that you can use to view the contents of your SPF TXT record. By looking at your SPF TXT record and following the chain of `include:` statements and redirects, you can determine how many DNS lookups are required. Some online tools even count and display these lookups for you. Keeping track of this number helps prevent SPF failures.

-## For more information

-Need help with adding the SPF TXT record? Read [Create DNS records at any DNS hosting provider for Microsoft 365](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider#add-or-edit-an-spf-txt-record-to-help-prevent-email-spam-outlook-exchange-online) for detailed information about using SPF with your custom domain in Microsoft 365. [Anti-spam message headers](message-headers-eop-mdo.md) includes the syntax and header fields used by Microsoft 365 for SPF checks.

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email authentication ([SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md)) verify email senders for the safety of the recipients.

-But, some legitimate services might make changes to the message between the sender and recipient. For example, changes to the message might cause source IP address of the message to change, which can cause the following email authentication failures:

-Authenticated Received Chain (ARC) helps reduce delivery failures due to legitimate email message changes by preserving the original email authentication information. You can configure your Microsoft 365 organization trust the service that modified the message, and to use that original information to help the message pass email authentication.

-## ARC in Microsoft Defender for Office 365

-Services that modify message content in transit before delivery can invalidate DKIM email signatures and affect the authentication of the message. These services can use ARC to provide details of the original authentication before the modifications occurred. Your organization can then trust these details to help authenticate the message.

-Trusted ARC sealers let admins add a list of *trusted* intermediaries into the Microsoft Defender portal. Trusted ARC sealers allow Microsoft to honor ARC signatures from these trusted intermediaries, preventing these legitimate messages from failing the authentication chain.

-> [!NOTE]

-> Trusted ARC sealers is an admin-created list of intermediary domains that use ARC sealing. When an email is routed to Microsoft 365 through an ARC trusted intermediary, Microsoft 365 validates the ARC signature and (based on the ARC results) can honor the provided authentication details.

-Microsoft 365 organizations need a list of trusted ARC sealers only when intermediaries are a regular part of mail flow and when messages are affected in the following ways:

-When an admin adds a trusted ARC sealer, Microsoft 365 validates and trusts the authentication results that the ARC sealer provides when delivering mail to your organization.

-> [!NOTE]

-> Add only legitimate, required services as trusted ARC sealers in your organization. Doing so helps affected messages pass email authentication checks, and prevents legitimate messages from being delivered to the Junk Email folder, quarantined, or rejected due to authentication failures.

- - [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

-<a name='use-the-microsoft-365-defender-portal-to-add-trusted-arc-sealers'></a>

- The domain name must match the domain that's shown in the `d` tag in the **ARC-Seal** and **ARC-Message-Signature** headers in affected email messages. You can use Outlook to see these headers. For instructions, see [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c).

- To *replace* any existing ARC sealers with the values you specify, use the following syntax:

- The TenantId\ value isn't required in your own organization, only in delegated organizations. It's a GUID that's visible in many admin portal URLs in Microsoft 365 (the tid= value). For example, a32d39e2-3702-4ff5-9628-31358774c091.

-If there's an ARC seal from a third party before the message reaches Microsoft 365, check the message header for the latest ARC headers after the message is delivered.

-40.107.65.78) smtp.rcpttodomain=microsoft.com

-Authentication-Results: spf=fail (sender IP is 51.163.158.241)

-These diagrams contrast mail flow operations with and without a trusted ARC sealer when using any SPF, DKIM, and DMARC email authentication. In both diagrams, the Microsoft 365 organization uses legitimate services that must interrupt mail flow, which can violate email authentication standards by changing the source IP, and update the email message header.

-This diagram demonstrates the result *without* a trusted ARC sealer:

-This diagram demonstrates the result *with* a trusted ARC sealer:

-## Next steps: After you set up ARC for Defender for Office 365

-After setup, check your ARC Headers with Message Header Analyzer at <https://mha.azurewebsites.net>.

-Review the [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), [DMARC](email-authentication-dmarc-configure.md), configuration steps.

-description: Learn how to use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure messages sent from your custom domain are trusted by the destination email systems.

-# Use DKIM to validate outbound email sent from your custom domain

-This article lists the steps to use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure that destination email systems trust messages sent outbound from your custom domain.

-In this article:

-> [!NOTE]

-> Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains. That means you don't need to do anything to set up DKIM for any initial domain names (for example, litware.onmicrosoft.com). For more information about domains, see [Domains FAQ](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain).

-DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain.

-DKIM lets you add a digital signature to outbound email messages in the message header. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from your domain can use this digital signature to help verify whether incoming email is legitimate.

-In basic, a private key encrypts the header in a domain's outgoing email. The public key is published in the domain's DNS records, and receiving servers can use that key to decode the signature. DKIM verification helps the receiving servers confirm the mail is really coming from your domain and not someone *spoofing* your domain.

-> [!TIP]

-> You can choose to do nothing about DKIM for your custom domain too. If you don't set up DKIM for your custom domain, Microsoft 365 creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain.

- Microsoft-365's built-in DKIM configuration is sufficient coverage for most customers. However, you should manually configure DKIM for your custom domain in the following circumstances:

-## How DKIM works better than SPF alone to prevent malicious spoofing

-<a name="HowDKIMWorks"> </a>

-SPF adds information to a message envelope but DKIM *encrypts* a signature within the message header. When you forward a message, portions of that message's envelope can be stripped away by the forwarding server. Since the digital signature stays with the email message because it's part of the email header, DKIM works even when a message has been forwarded as shown in the following example.

-In this example, if you had only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. **The addition of DKIM in this scenario reduces *false positive* spam reporting.** Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than SPF. We recommend using both SPF and DKIM, as well as DMARC in your deployment.

-> DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the **d=** field in the header. The verifying domain, or recipient's domain, then uses the **d=** field to look up the public key from DNS, and authenticate the message. If the message is verified, the DKIM check passes.

-## Steps to Create, enable and disable DKIM from Microsoft Defender portal

-All the accepted domains of your tenant will be shown in the Microsoft Defender portal under the DKIM page. If you do not see it, add your accepted domain from [domains page](/microsoft-365/admin/setup/add-domain#add-a-domain).

-Once your domain is added, follow the steps as shown below to configure DKIM.

-Step 1: On the [DKIM page](https://security.microsoft.com/dkimv2), select the domain you wish to configure.

-Step 2: Click **Create DKIM keys**. You will see a pop-up window stating that you need to add CNAME records.

-Step 3: Copy the CNAMES shown in the pop up window

-Step 4: Publish the copied CNAME records to your DNS service provider.

-On your DNS provider's website, add CNAME records for DKIM that you want to enable. Make sure that the fields are set to the following values for each:

-```text

-Record Type: CNAME (Alias)

-> Host: Paste the values you copy from DKIM page.

-Points to address: Copy the value from DKIM page.

-TTL: 3600 (or your provider default)

-```

-Step 5: Return to DKIM page to enable DKIM.

-If you see CNAME record doesn't exist error, it might be due to:

-1. Synchronization with DNS server, which might take few seconds to hours, if the problem persists repeat the steps again

-2. Check for any copy paste errors, like additional space or tabs etc.

-If you wish to disable DKIM, toggle back to disable mode.

-## Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys

-<a name="1024to2048DKIM"> </a>

-> [!NOTE]

-> Microsoft 365 automatically sets up DKIM for *onmicrosoft.com* domains. No steps are needed to use DKIM for any initial domain names (like litware.*onmicrosoft.com*). For more information about domains, see [Domains FAQ](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain).

-Since both 1024 and 2048 bitness are supported for DKIM keys, these directions will tell you how to upgrade your 1024-bit key to 2048 in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). The steps below are for two use-cases, please choose the one that best fits your configuration.

- ```powershell

- Rotate-DkimSigningConfig -KeySize 2048 -Identity <DkimSigningConfigIdParameter>

- ```

- **or**

- ```powershell

- New-DkimSigningConfig -DomainName <Domain for which config is to be created> -KeySize 2048 -Enabled $true

- ```

-Stay connected to Exchange Online PowerShell to *verify* the configuration by running the following command:

-```powershell

-Get-DkimSigningConfig -Identity <Domain for which the configuration was set> | Format-List

-```

-> [!TIP]

-> This new 2048-bit key takes effect on the RotateOnDate, and will send emails with the 1024-bit key in the interim. After four days, you can test again with the 2048-bit key (that is, once the rotation takes effect to the second selector).

-If you want to rotate to the second selector, after four days and confirming that 2048-bitness is in use, manually rotate the second selector key by using the appropriate cmdlet listed above.

-For detailed syntax and parameter information, see the following articles: [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig), [New-DkimSigningConfig](/powershell/module/exchange/new-dkimsigningconfig), and [Get-DkimSigningConfig](/powershell/module/exchange/get-dkimsigningconfig).

-## Steps to manually set up DKIM using PowerShell

-<a name="SetUpDKIMO365"> </a>

-To configure DKIM, you will complete these steps:

-### Publish two CNAME records for your custom domain in DNS

-<a name="Publish2CNAME"> </a>

-For each domain for which you want to add a DKIM signature in DNS, you need to publish two CNAME records.

-> [!NOTE]

-> If you haven't read the full article, you might have missed this time-saving PowerShell connection information: [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

-Run the following commands in Exchange Online PowerShell to create the selector records:

-```powershell

-New-DkimSigningConfig -DomainName <domain> -Enabled $false

-Get-DkimSigningConfig -Identity <domain> | Format-List Selector1CNAME, Selector2CNAME

-```

-If you have provisioned custom domains in addition to the initial domain in Microsoft 365, you must publish two CNAME records for each additional domain. So, if you have two domains, you must publish two additional CNAME records, and so on.

-Use the following format for the CNAME records.

-> [!IMPORTANT]

-> If you are one of our GCC High customers, we calculate _customDomainIdentifier_ differently! Instead of looking up the MX record for your _initialDomain_ to calculate _customDomainIdentifier_, instead we calculate it directly from the customized domain. For example, if your customized domain is "contoso.com" your _customDomainIdentifier_ becomes "contoso-com", any periods are replaced with a dash. So, regardless of what MX record your _initialDomain_ points to, you'll always use the above method to calculate the _customDomainIdentifier_ to use in your CNAME records.

-```console

-Host name: selector1._domainkey

-Points to address or value: selector1-<customDomainIdentifier>._domainkey.<initialDomain>

-TTL: 3600

-Host name: selector2._domainkey

-Points to address or value: selector2-<customDomainIdentifier>._domainkey.<initialDomain>

-TTL: 3600

-```

-Where:

- > contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com

-For example, if you have an initial domain of cohovineyardandwinery.onmicrosoft.com, and two custom domains cohovineyard.com and cohowinery.com, you would need to set up two CNAME records for each additional domain, for a total of four CNAME records.

-```console

-Host name: selector1._domainkey

-Points to address or value: selector1-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com

-TTL: 3600

-Host name: selector2._domainkey

-Points to address or value: selector2-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com

-TTL: 3600

-Host name: selector1._domainkey

-Points to address or value: selector1-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com

-TTL: 3600

-Host name: selector2._domainkey

-Points to address or value: selector2-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com

-TTL: 3600

-```

-> [!NOTE]

-> It's important to create CNAME records for both selectors in the DNS, but only one (active) selector is published with the public key at the time of creation. This behavior is expected and doesn't affect DKIM signing for your custom domains. The second selector will be published with the public key after any future key rotation when it becomes active.

-### Steps to enable DKIM signing for your custom domain using PowerShell

-<a name="EnableDKIMinO365"> </a>

-Once you have published the CNAME records in DNS, replace \<Domain\> with your domain name, and then run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to enable DKIM signing through Microsoft 365:

-```powershell

-Set-DkimSigningConfig -Identity <Domain> -Enabled $true

-```

-For detailed syntax and parameter information, see [Set-DkimSigningConfig](/powershell/module/exchange/set-dkimsigningconfig).

-## Error: No DKIM keys saved for this domain

-<a name="NoDKIMKeys"> </a>

-If you're configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain', you need to use Exchange Online PowerShell to enable DKIM signing.

-1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

-2. Use the following syntax:

- Set-DkimSigningConfig -Identity <Domain> -Enabled $true

- \<Domain\> is the name of the custom domain that you want to enable DKIM signing for.

- This example enables DKIM signing for the domain contoso.com:

- ```powershell

- Set-DkimSigningConfig -Identity contoso.com -Enabled $true

-For detailed syntax and parameter information, see [Set-DkimSigningConfig](/powershell/module/exchange/set-dkimsigningconfig).

-#### To Confirm DKIM signing is configured properly for Microsoft 365

-Wait a few minutes before you follow these steps to confirm that you have properly configured DKIM. This allows time for the DKIM information about the domain to be spread throughout the network.

- The DKIM-signed message will contain the host name and domain you defined when you published the CNAME entries. The message will look something like this example:

- ```console

- From: Example User <example@contoso.com>

- DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;

- s=selector1; d=contoso.com; t=1429912795;

- h=From:To:Message-ID:Subject:MIME-Version:Content-Type;

- bh=<body hash>;

- b=<signed field>;

- ```

-> [!IMPORTANT]

-> The DKIM signature is **omitted** under any of the following conditions:

->

-> - The sender and recipient email addresses are in the same domain.

-> - The sender and recipient email addresses are in different domains that are controlled by the same organization.

->

-> In both cases, the header will look similar to this:

-> ```console

-> Authentication-Results: dkim=none (message not signed) header.d=none;

-> dmarc=none action=none header.from=<sender_domain>;

-> ```

-## To configure DKIM for more than one custom domain

-<a name="DKIMMultiDomain"> </a>

-If at some point in the future you decide to add another custom domain and you want to enable DKIM for the new domain, you must complete the steps in this article for each domain. Specifically, complete all steps in [What you need to do to manually set up DKIM](email-authentication-dkim-configure.md#SetUpDKIMO365).

-## Disabling the DKIM signing policy for a custom domain

-<a name="DisableDKIMSigningPolicy"> </a>

-Disabling the signing policy does not completely disable DKIM. After a period of time, Microsoft 365 will automatically apply the default policy for your domain, if the default policy is still in the enabled state. If you wish to completely disable DKIM, you need to disable DKIM on both the custom and default domains. For more information, see [Default behavior for DKIM and Microsoft 365](email-authentication-dkim-configure.md#DefaultDKIMbehavior).

-### To disable the DKIM signing policy by using Windows PowerShell

-1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

-2. Run one of the following commands for each domain for which you want to disable DKIM signing.

- $p = Get-DkimSigningConfig -Identity <Domain>

- $p[0] | Set-DkimSigningConfig -Enabled $false

- For example:

- $p = Get-DkimSigningConfig -Identity contoso.com

- $p[0] | Set-DkimSigningConfig -Enabled $false

- Or

- Set-DkimSigningConfig -Identity $p[<number>].Identity -Enabled $false

- Where _number_ is the index of the policy. For example:

- Set-DkimSigningConfig -Identity $p[0].Identity -Enabled $false

-## Default behavior for DKIM and Microsoft 365

-<a name="DefaultDKIMbehavior"> </a>

-If you do not enable DKIM, Microsoft 365 automatically creates a 2048-bit DKIM public key for your Microsoft Online Email Routing Address (MOERA)/initial domain and the associated private key which we store internally in our datacenter. By default, Microsoft 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Microsoft 365 will use its default policy and keys it creates to enable DKIM for your domain.

-Also, if you disable DKIM signing on your custom domain after enabling it, after a period of time, Microsoft 365 will automatically apply the MOERA/initial domain policy for your custom domain.

-In the following example, suppose that DKIM for fabrikam.com was enabled by Microsoft 365, not by the administrator of the domain. This means that the required CNAMEs do not exist in DNS. DKIM signatures for email from this domain will look something like this:

-```console

-From: Second Example <second.example@fabrikam.com>

-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;

- s=selector1-fabrikam-com; d=contoso.onmicrosoft.com; t=1429912795;

- h=From:To:Message-ID:Subject:MIME-Version:Content-Type;

- bh=<body hash>;

- b=<signed field>;

-```

-In this example, the host name and domain contain the values to which the CNAME would point if DKIM-signing for fabrikam.com had been enabled by the domain administrator. Eventually, every single message sent from Microsoft 365 will be DKIM-signed. If you enable DKIM yourself, the domain will be the same as the domain in the From: address, in this case fabrikam.com. If you don't, it will not align and instead will use your organization's initial domain. For information about determining your initial domain, see [Domains FAQ](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain).

-## Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain

-<a name="SetUp3rdPartyspoof"> </a>

-Some bulk email service providers, or software-as-a-service providers, let you set up DKIM keys for email that originates from their service. This requires coordination between yourself and the third-party in order to set up the necessary DNS records. Some third-party servers can have their own CNAME records with different selectors. No two organizations do it exactly the same way. Instead, the process depends entirely on the organization.

-An example message showing a properly configured DKIM for contoso.com and bulkemailprovider.com might look like this:

-```console

-Return-Path: <communication@bulkemailprovider.com>

- From: <sender@contoso.com>

- DKIM-Signature: s=s1024; d=contoso.com

- Subject: Here is a message from Bulk Email Provider's infrastructure, but with a DKIM signature authorized by contoso.com

-```

-In this example, in order to achieve this result:

-1. Bulk Email Provider gave Contoso a public DKIM key.

-2. Contoso published the DKIM key to its DNS record.

-3. When sending email, Bulk Email Provider signs the key with the corresponding private key. By doing so, Bulk Email Provider attached the DKIM signature to the message header.

-4. Receiving email systems perform a DKIM check by authenticating the DKIM-Signature d=\<domain\> value against the domain in the From: (5322.From) address of the message. In this example, the values match:

- > sender@**contoso.com**

- > d=**contoso.com**

-## Identify domains that do not send email

-Organizations should explicitly state if a domain does not send email by specifying `v=DKIM1; p=` in the DKIM record for those domains. This advises receiving email servers that there are no valid public keys for the domain, and any email claiming to be from that domain should be rejected. You should do this for each domain and subdomain using a wildcard DKIM.

-For example, the DKIM record would look like this:

-```console

-*._domainkey.SubDomainThatShouldntSendMail.contoso.com. TXT "v=DKIM1; p="

-```

-## Next steps: After you set up DKIM for Microsoft 365

-<a name="DKIMNextSteps"> </a>

-**Although DKIM is designed to help prevent spoofing, DKIM works better with SPF and DMARC.**

-Once you have set up DKIM, if you have not already set up SPF you should do so. For a quick introduction to SPF and to get it configured quickly, see [**Set up SPF in Microsoft 365 to help prevent spoofing**](email-authentication-spf-configure.md). For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md).

-Next, see [**Use DMARC to validate email**](email-authentication-dmarc-configure.md). [Anti-spam message headers](message-headers-eop-mdo.md) includes the syntax and header fields used by Microsoft 365 for DKIM checks.

-**This test will validate** that the DKIM signing configuration has been configured correctly, and that the proper DNS entries have been published.

-> [!NOTE]

-> This feature requires a Microsoft 365 administrator account. This feature isn't available for Microsoft 365 Government, Microsoft 365 operated by 21Vianet, or Microsoft 365 Germany.

-<div class="nextstepaction">

-<p><a href="https://admin.microsoft.com/AdminPortal/?searchSolutions=DKIM#/homepage" data-linktype="external">Run Tests: DKIM</a></p>

-</div>

-## More information

-Key rotation via PowerShell: [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig)

-[Use DMARC to validate email](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure)

-[Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure)

- - NOCSH

- - MET150

- - m365-security

- - tier1

-description: Learn about the validation of DKIM signed messages in Exchange Online Protection and Exchange Online

-appliesto:

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>

-# Support for validation of DKIM signed messages

-Exchange Online Protection (EOP) and Exchange Online both support inbound validation of Domain Keys Identified Mail ([DKIM](https://www.rfc-editor.org/rfc/rfc6376.txt)) messages.

-DKIM validates that an email message wasn't *spoofed* by someone else, and was sent from the domain it *says* it came from. It ties an email message to the organization that sent it. DKIM verification is used automatically for all messages sent with IPv6. Microsoft 365 also supports DKIM when mail is sent over IPv4. For more information about IPv6 support, see [Support for anonymous inbound email over IPv6](mail-flow-about.md#support-for-anonymous-inbound-email-over-ipv6).

-DKIM validates a digitally signed message that appears in the DKIM-Signature header of the message headers. The results of a DKIM-Signature validation are stamped in the Authentication-Results header. The message header text appears similar to the following (where contoso.com is the sender):

- `Authentication-Results: <contoso.com>; dkim=pass (signature was verified) header.d=example.com;`

-> [!NOTE]

-> For more information about the Authentication-Results header, see RFC 7001 ([Message Header Field for Indicating Message Authentication Status](https://www.rfc-editor.org/rfc/rfc7001.txt). Microsoft's DKIM implementation conforms with this RFC.

-Admins can create Exchange [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) on the results of DKIM validation. These mail flow rules will allow admins to filter or route messages as needed.

-description: Learn how to configure Domain-based Message Authentication, Reporting, and Conformance (DMARC) to validate messages sent from your organization, contains information on DMARC reject or OReject.

-# Use DMARC to validate email

-Domain-based Message Authentication, Reporting, and Conformance ([DMARC](https://dmarc.org)) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders.

-DMARC ensures the destination email systems trust messages sent from your domain. Using DMARC with SPF and DKIM gives organizations more protection against spoofing and phishing email. DMARC helps receiving mail systems decide what to do with messages from your domain that fail SPF or DKIM checks.

-> [!TIP]

-> Visit the [Microsoft Intelligent Security Association (MISA)](https://www.microsoft.com/misapartnercatalog) catalog to view third-party vendors offering DMARC reporting for Microsoft 365.

-> [!TIP]

-> **Have you seen our step-by-step guides?** Configuration 1-2-3s and no frills, for admins in a hurry. Visit for the steps to *[enable DMARC Reporting for Microsoft Online Email Routing Addresses (MOERA) and parked Domains](step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md)*.

-## How do SPF and DMARC work together to protect email in Microsoft 365?

- An email message may contain multiple originator or sender addresses. These addresses are used for different purposes. For example, consider these addresses:

-SPF uses a DNS TXT record to list authorized sending IP addresses for a given domain. Normally, SPF checks are only performed against the 5321.MailFrom address. The 5322.From address isn't authenticated when you use SPF by itself, which allows for a scenario where a user gets a message that passed SPF checks but has a spoofed 5322.From sender address. For example, consider this SMTP transcript:

-```console

-S: Helo woodgrovebank.com

-S: Mail from: phish@phishing.contoso.com

-S: Rcpt to: astobes@tailspintoys.com

-S: data

-S: To: "Andrew Stobes" <astobes@tailspintoys.com>

-S: From: "Woodgrove Bank Security" <security@woodgrovebank.com>

-S: Subject: Woodgrove Bank - Action required

-S:

-S: Greetings User,

-S:

-S: We need to verify your banking details.

-S: Please click the following link to verify that Microsoft has the right information for your account.

-S:

-S: https://short.url/woodgrovebank/updateaccount/12-121.aspx

-S:

-S: Thank you,

-S: Woodgrove Bank

-S: .

-```

-In this transcript, the sender addresses are as follows:

-If you configured SPF, then the receiving server does a check against the Mail from address phish@phishing.contoso.com. If the message came from a valid source for the domain phishing.contoso.com, then the SPF check passes. Since the email client only displays the From address, the user sees this message came from security@woodgrovebank.com. With SPF alone, the validity of woodgrovebank.com was never authenticated.

-When you use DMARC, the receiving server also performs a check against the From address. In the example above, if there's a DMARC TXT record in place for woodgrovebank.com, then the check against the From address fails.

-## What is a DMARC TXT record?

-Like the DNS records for SPF, the record for DMARC is a DNS text (TXT) record that helps prevent spoofing and phishing. You publish DMARC TXT records in DNS. DMARC TXT records validate the origin of email messages by verifying the IP address of an email's author against the alleged owner of the sending domain. The DMARC TXT record identifies authorized outbound email servers. Destination email systems can then verify that messages they receive originate from authorized outbound email servers.

-Microsoft's DMARC TXT record looks something like this:

-```console

-_dmarc.microsoft.com. 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:d@rua.contoso.com; ruf=mailto:d@ruf.contoso.com; fo=1"

-```

-For more third-party vendors who offer DMARC reporting for Microsoft 365, visit the [MISA catalog](https://www.microsoft.com/misapartnercatalog?IntegratedProducts=DMARCReportingforOffice365).

-## Set up DMARC for inbound mail

-You don't have to do a thing to set up DMARC for mail that you receive in Microsoft 365. It's all taken care of. If you want to learn what happens to mail that fails to pass our DMARC checks, see [How Microsoft 365 handles inbound email that fails DMARC](#how-microsoft-365-handles-inbound-email-that-fails-dmarc).

-## Set up DMARC for outbound mail from Microsoft 365

-If you use Microsoft 365 but you aren't using a custom domain (you use onmicrosoft.com), SPF is already set up for you and Microsoft 365 automatically generates a DKIM signature for your outgoing mail (for more information about this signature, see [Default behavior for DKIM and Microsoft 365](email-authentication-dkim-configure.md#DefaultDKIMbehavior)). To set up DMARC for your organization, you need to [Form the DMARC TXT record](#step-4-form-the-dmarc-txt-record-for-your-domain) for the onmicrosoft.com domain and publish it to DNS via [Office 365 Admin Center](https://admin.microsoft.com) > Settings > Domains > click on onmicrosoft.com domain > Add record.

- If you have a custom domain or are using on-premises Exchange servers along with Microsoft 365, you need to manually set up DMARC for your outbound mail. Setting up DMARC for your custom domain includes these steps:

-### Step 1: Identify valid sources of mail for your domain

-If you have already set up SPF, then you've already gone through this exercise. There are some further considerations for DMARC. When identifying sources of mail for your domain, answer these two questions:

-### Step 2: Set up SPF for your domain

-Now that you have a list of all your valid senders you can follow the steps to [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md).

-For example, assuming contoso.com sends mail from Exchange Online, an on-premises Exchange server whose IP address is 192.168.0.1, and a web application whose IP address is 192.168.100.100, the SPF TXT record would look like this:

-```console

-contoso.com IN TXT " v=spf1 ip4:192.168.0.1 ip4:192.168.100.100 include:spf.protection.outlook.com -all"

-```

-As a best practice, ensure that your SPF TXT record takes into account third-party senders.

-### Step 3: Set up DKIM for your custom domain

-Once you've set up SPF, you need to set up DKIM. DKIM lets you add a digital signature to email messages in the message header. If you don't set up DKIM and instead allow Microsoft 365 to use the default DKIM configuration for your domain, DMARC may fail. This failure can happen because the default DKIM configuration uses your original *onmicrosoft.com* domain as the *5321.MailFrom* address, not your *custom* domain. This creates a mismatch between the *5321.MailFrom* and the *5322.From addresses* in all the email sent from your domain.

-If you have third-party senders that send mail on your behalf and the mail they send has mismatched 5321.MailFrom and 5322.From addresses, DMARC will fail for that email. To avoid this, you need to set up DKIM for your domain specifically with that third-party sender. This allows Microsoft 365 to authenticate email from this 3rd-party service. However, it also allows others, for example, Yahoo, Gmail, and Comcast, to verify email sent to them by the third-party as if it was email sent by you. This is beneficial because it allows your customers to build trust with your domain no matter where their mailbox is located, and at the same time Microsoft 365 won't mark a message as spam due to spoofing because it passes authentication checks for your domain.

-For instructions on setting up DKIM for your domain, including how to set up DKIM for third-party senders so they can spoof your domain, see [Use DKIM to validate outbound email sent from your custom domain](email-authentication-dkim-configure.md).

-### Step 4: Form the DMARC TXT record for your domain

-Although there are other syntax options that aren't mentioned here, these are the most commonly used options for Microsoft 365. Form the DMARC TXT record for your domain in the format:

-```console

-_dmarc.domain TTL IN TXT "v=DMARC1; p=policy; pct=100"

-```

-Where:

-For information about which options to use, become familiar with the concepts in [Best practices for implementing DMARC in Microsoft 365](#best-practices-for-implementing-dmarc-in-microsoft-365).

-Examples:

- ```console

- _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=none"

- ```

- ```console

- _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=quarantine"

- ```

- ```console

- _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=reject"

- ```

-Once you've formed your record, you need to update the record at your domain registrar.

-## DMARC Mail

-> [!CAUTION]

-> Mails may not be sent out daily.

-In this example DMARC TXT record: `dmarc.microsoft.com. 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:d@rua.example.com; ruf=mailto:d@ruf.example.com; fo=1"`, you can see the *rua* address. This address is used to send 'aggregate feedback' for analysis, which is used to generate a report.

-> Visit the [MISA catalog](https://www.microsoft.com/misapartnercatalog) to view more third-party vendors offering DMARC reporting for Microsoft 365. See [IETF.org's 'Domain-based Message Authentication, Reporting, and Conformance (DMARC)'](https://datatracker.ietf.org/doc/html/rfc7489) for more information on DMARC 'rua' addresses.

-## Best practices for implementing DMARC in Microsoft 365

-You can implement DMARC gradually without impacting the rest of your mail flow. Create and implement a roll-out plan that follows these steps. Do each of these steps first with a sub-domain, then other sub-domains, and finally with the top-level domain in your organization before moving on to the next step.

-1. Monitor the impact of implementing DMARC

- Start with a simple monitoring-mode record for a sub-domain or domain that requests that DMARC receivers send you statistics about messages that they see using that domain. A monitoring-mode record is a DMARC TXT record that has its policy set to none (p=none). Many companies publish a DMARC TXT record with p=none because they're unsure about how much email they may lose by publishing a more restrictive DMARC policy.

- You can do this even before you've implemented SPF or DKIM in your messaging infrastructure. However, you won't be able to effectively quarantine or reject mail by using DMARC until you also implement SPF and DKIM. As you introduce SPF and DKIM, the reports generated through DMARC will give the numbers and sources of messages that pass these checks, versus those that don't. You can easily see how much of your legitimate traffic is or isn't covered by them, and troubleshoot any problems. You'll also begin to see how many fraudulent messages are being sent, and where they're sent from.

-2. Request that external mail systems quarantine mail that fails DMARC

- When you believe that all or most of your legitimate traffic is protected by SPF and DKIM, and you understand the impact of implementing DMARC, you can implement a quarantine policy. A quarantine policy is a DMARC TXT record that has its policy set to quarantine (p=quarantine). By doing this, you're asking DMARC receivers to put messages from your domain that fail DMARC into the local equivalent of a spam folder instead of your customers' inboxes.

-3. Request that external mail systems not accept messages that fail DMARC

- The final step is implementing a reject policy. A reject policy is a DMARC TXT record that has its policy set to reject (p=reject). When you do this, you're asking DMARC receivers not to accept messages that fail the DMARC checks.

-4. How to set up DMARC for subdomain?

- DMARC is implemented by publishing a policy as a TXT record in DNS and is hierarchical (for example, a policy published for contoso.com will apply to sub.domain.contoso.com unless a different policy is explicitly defined for the subdomain). This is useful as organizations may be able to specify a smaller number of high-level DMARC records for wider coverage. Care should be taken to configure explicit subdomain DMARC records where you don't want the subdomains to inherit the top-level domain's DMARC record.

- Also, you can add a wildcard-type policy for DMARC when subdomains shouldn't be sending email, by adding the `sp=reject` value. For example:

- ```text

- _dmarc.contoso.com. TXT "v=DMARC1; p=reject; sp=reject; ruf=mailto:authfail@contoso.com; rua=mailto:aggrep@contoso.com"

- ```

-## DMARC Reject

-DMARC `p=reject` is a policy that's set in the DMARC TXT record by domain owners to notify service providers to *reject* email that fails DMARC.

-It came about because when OReject is set as the default, rejected email was sent to quarantine in Enterprise, and to the Junk Email folder in Consumer (due to lack of quarantine in Consumer). However, with DMARC `p=reject`, the email is rejected.

-Configuration can be done in the Microsoft Defender portal, or by the [New-AntiPhishPolicy](/powershell/module/exchange/new-antiphishpolicy) or [Set-AntiPhishPolicy](/powershell/module/exchange/set-antiphishpolicy) cmdlets in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). For more information, see the following articles:

-## How Microsoft 365 handles outbound email that fails DMARC

-If a message is outbound from Microsoft 365 and fails DMARC, and you have set the policy to p=quarantine or p=reject, the message is routed through the [High-risk delivery pool for outbound messages](outbound-spam-high-risk-delivery-pool-about.md). There's no override for outbound email.

-If you publish a DMARC reject policy (p=reject), no other customer in Microsoft 365 can spoof your domain because messages won't be able to pass SPF or DKIM for your domain when relaying a message outbound through the service. However, if you do publish a DMARC reject policy but don't have all of your email authenticated through Microsoft 365, some of it may be marked as spam for inbound email (as described above), or it will be rejected if you don't publish SPF and try to relay it outbound through the service. This happens, for example, if you forget to include some of the IP addresses for servers and apps that send mail on behalf of your domain when you form your DMARC TXT record.

-## How Microsoft 365 handles inbound email that fails DMARC

-If the DMARC policy of the sending domain is `p=reject`, [Exchange Online Protection](eop-about.md) (EOP) rejects the message by default. You can configure anti-phishing policies to honor or not honor `p=quarantine` and `p=reject` in sender DMARC policies, and specify separate actions for `p=quarantine` and `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies).

-When anti-phishing policies are configured to not honor `p=quarantine` or `p=reject` in DMARC policies, messages that fail DMARC are marked as spam and aren't rejected. Users can still get these messages in their inbox through these methods:

-For more information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md).

-## How Microsoft 365 utilizes Authenticated Received Chain (ARC)

-All hosted mailboxes in Microsoft 365 will now gain the benefit of ARC with improved deliverability of messages and enhanced anti-spoofing protection. ARC preserves the email authentication results from all participating intermediaries, or hops, when an email is routed from the originating server to the recipient mailbox. Before ARC, modifications performed by intermediaries in email routing, like forwarding rules or automatic signatures, could cause DMARC failures by the time the email reached the recipient mailbox. With ARC, the cryptographic preservation of the authentication results allows Microsoft 365 to verify the authenticity of an email's sender.

-Microsoft 365 currently utilizes ARC to verify authentication results when Microsoft is the ARC Sealer, but plan to add support for third-party ARC sealers in the future.

-## Troubleshooting your DMARC implementation

-If you've configured your domain's MX records where EOP isn't the first entry, DMARC failures won't be enforced for your domain.

-If you're a customer, and your domain's primary MX record doesn't point to EOP, you won't get the benefits of DMARC. For example, DMARC won't work if you point the MX record to your on-premises mail server and then route email to EOP by using a connector. In this scenario, the receiving domain is one of your Accepted-Domains but EOP isn't the primary MX. For example, suppose contoso.com points its MX at itself and uses EOP as a secondary MX record, contoso.com's MX record looks like the following:

-```console

-contoso.com 3600 IN MX 0 mail.contoso.com

-contoso.com 3600 IN MX 10 contoso-com.mail.protection.outlook.com

-```

-All, or most, email will first be routed to mail.contoso.com since it's the primary MX, and then mail will get routed to EOP. In some cases, you might not even list EOP as an MX record at all and simply hook up connectors to route your email. EOP doesn't have to be the first entry for DMARC validation to be done. It just ensures the validation, to be certain that all on-premise/non-O365 servers will do DMARC checks. DMARC is eligible to be enforced for a customer's domain (not server) when you set up the DMARC TXT record, but it's up to the receiving server to actually do the enforcement. If you set up EOP as the receiving server, then EOP does the DMARC enforcement.

-## For more information

-Want more information about DMARC? These resources can help.

-## See also

-[How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md)

-[**Set up SPF in Microsoft 365 to help prevent spoofing**](email-authentication-spf-configure.md)

-[**Use DKIM to validate outbound email sent from your custom domain in Microsoft 365**](email-authentication-dkim-configure.md)

-[Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure)

- - NOCSH

- - MET150

- - m365-security

- - tier1

-description: Read your DMARC Reports. If you set the rua tag while configuring, DMARC Reports are sent daily to the email addresses specified, which help admins and SecOps fight spoofing and phishing emails. Domain-based Message Authentication, Reporting, and Conformance (DMARC) validate messages sent from your organization, and generate reporting that highlights DMARC effectiveness.

-appliesto:

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a>

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a>

- - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>

-# Use DMARC Reports to validate email in Microsoft Office 365

-> [!NOTE]

-> If you haven't set up DMARC, the directions are [here](email-authentication-dmarc-configure.md). For an overview of email authentication including SPF, DKIM and DMARC in Microsoft Office 365, see this [topic](email-authentication-about.md).

-Domain-based Message Authentication, Reporting, and Conformance (**DMARC**) helps protect against spoofing and phishing, and prevents benign messages from being marked as spam.

-**DMARC Reporting** makes you aware of DMARC email authentication decisions at recipient mail server.

-## Office 365 DMARC reporting

-In Office 365, the DMARC reports are sent to all sender domain owners that have a valid rua address defined in their DMARC record (independent of your platform or configuration).

-The only exception is where the MX record for the recipient domain doesn't directly point to Office 365. In that case no DMARC Report is sent to the sender domain owner rua address.

-**Example:**

-**Mailbox A** > recipient *domain contoso.com*

-**Mailbox A MX record** > points to Office 365 at *contoso-com.mail.protection.outlook.com*

-**Mailbox A report result** > automatically sent an aggregated DMARC report to all email sender domain owners with a valid rua address in their DMARC record.

-But if the contoso.com domain's MX record points to a *different email security solution* that sits in front of Office 365, then *no DMARC aggregate reports are sent to any sender domain's rua address* (configured in their DMARC record). This is because information about the sending infrastructure is likely affected by the complex mail flow routing.

-> [!NOTE]

-> Microsoft currently has no plans to send forensic reports (ruf).

-## What DMARC Reports do for you

-It's recommended that admins set up and regularly review DMARC Reporting in their domain.

-Admins should regularly read and monitor the daily DMARC reports sent in email. The reports outline what messages from the domain pass one of email authentication methods **Sender Policy Framework (SPF)**, or **DomainKeys Identified Mail (DKIM)**, and the verdict of **DMARC** authentication.

-**DMARC Reports outline:**

- - Note that email must also pass one of SPF or DKIM to pass DMARC.

- - None

- - Quarantine

- - Reject

-DMARC reports let you know who is sending mail on your domain, and can alert you to potential spammers. Another advantage is that once most messages pass DMARC, admins can change enforcement by creating a stricter DMARC policy. This makes the environment increasingly unfriendly to spoofing and phishing.

-Reviewing DMARC reports can verify that messages are sent by authorized servers, and determine whether they pass authentication checks. Over time, this will allow admins to fine tune their response, choosing from amongst reject, quarantine, or no response (none).

-## Reading your DMARC Reports

-When DMARC is turned on, reports are sent daily to the email address or addresses specified in your DMARC record (reports using the rua tag in the DMARC record contain the email information).

-Every server that gets mail from your domain also sends back an XML DMARC report, including whether messages coming out of your domain pass or fail DMARC. You'll also see:

-## Interpreting your DMARC data

-> [!IMPORTANT]

-> The numbers of DMARC emails varies in the same way the amount of email your domain sends does. For example, there may be lulls during holidays, and peaks during an organization's events. This can add up to a lot of reporting, so it's best to dedicate a group and mailbox to the practice of getting and analyzing these reports.

-DMARC Reports can be difficult to read and interpret. Using a third-party service that specializes in DMARC, from receiving and storing this data, to analyzing and even aggregating reports, may be the answer.

-Ultimately the value of your DMARC investment, how effectively it's working, and whether or not it's meeting goals comes down to analyzing the data. If your DMARC Reports are handled by a 3rd party have a discussion about your key DMARC objectives.

-## More information

-[**SPF**](email-authentication-spf-configure.md) SPF helps *validate* outbound email sent from your custom domain (is coming from who it says it is).

-[**DKIM**](email-authentication-dkim-configure.md) email authentication's goal is to prove the contents of the mail haven't been tampered with.

-[**DMARC**](email-authentication-dmarc-configure.md) email authentication's goal is to make sure that SPF and DKIM information matches the From address.

-[**Configure trusted ARC sealers**](email-authentication-arc-configure.md)

-# Set up SPF to help prevent spoofing

-This article describes how to update a Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) email authentication with your custom domain in Office 365.

-SPF helps *validate* outbound email sent from your custom domain (is coming from who it says it is). It's a first step in setting up the full recommended email authentication methods of SPF, [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md).

- - [How to handle subdomains?](#how-to-handle-subdomains)

- - [Troubleshooting SPF](#troubleshooting-spf)

-## Prerequisites

-> [!IMPORTANT]

-> If you are a **small business**, or are unfamiliar with IP addresses or DNS configuration, call your Internet domain registrar (ex. GoDaddy, Bluehost, web.com) & ask for help with *DNS configuration of SPF* (and any other email authentication method). <p> **If you don't use a custom URL** (and the URL used for Office 365 ends in **onmicrosoft.com**), SPF has already been set up for you in the Office 365 service.

-Let's get started.

-The SPF TXT record for Office 365 will be made in external DNS for any custom domains or subdomains. You need some information to make the record. Gather this information:

-> [!IMPORTANT]

-> In order to use a custom domain, Office 365 requires that you add a Sender Policy Framework (SPF) TXT record to your DNS record to help prevent spoofing.

-## Create or update your SPF TXT record

-1. Ensure that you're familiar with the SPF syntax in the following table.

- |Element|If you're using...|Common for customers?|Add this...|

- |||||

- |1|Any email system (required)|Common. All SPF TXT records start with this value|`v=spf1`|

- |2|Exchange Online|Common|`include:spf.protection.outlook.com`|

- |3|Exchange Online dedicated only|Not common|`ip4:23.103.224.0/19` <br> `ip4:206.191.224.0/19` <br> `ip4:40.103.0.0/16` <br> `include:spf.protection.outlook.com`|

- |4|Office 365 Germany, Microsoft Cloud Germany only|Not common|`include:spf.protection.outlook.de`|

- |5|Third-party email system|Not common|`include:<domain_name>` <p> \<domain_name\> is the domain of the third-party email system.|

- |6|On-premises email system. For example, Exchange Online Protection plus another email system|Not common|Use one of these for each additional mail system: <p> `ip4:<IP_address>` <br> `ip6:<IP_address>` <br> `include:<domain_name>` <p> \<IP_address\> and \<domain_name\> are the IP address and domain of the other email system that sends mail on behalf of your domain.|

- |7|Any email system (required)|Common. All SPF TXT records end with this value|`<enforcement rule>` <p> This can be one of several values. We recommend the value `-all`.|

-2. If you haven't already done so, form your SPF TXT record by using the syntax from the table.

- For example, if you are hosted entirely in Office 365, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and would look like this:

- ```text

- v=spf1 include:spf.protection.outlook.com -all

- ```

- **The example above is the most common SPF TXT record**. This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, or in Europe (including Germany), or in another location.

- However, if you bought Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2. For example, if you are hosted entirely in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this:

- ```text

- v=spf1 include:spf.protection.outlook.de -all

- ```

- If you're already deployed in Office 365 and have set up your SPF TXT records for your custom domain, and you're migrating to Office 365 Germany, you need to update your SPF TXT record. To do this, change `include:spf.protection.outlook.com` to `include:spf.protection.outlook.de`.

-3. Once you have formed your SPF TXT record, you need to update the record in DNS. **You can only have one SPF TXT record for a domain.** If an SPF TXT record exists, instead of adding a new record, you need to update the existing record. Go to [Create DNS records for Office 365](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider), and then select the link for your DNS host.

-4. Test your SPF TXT record.

-## How to handle subdomains?

-It's important to note that *you need to create a separate record for each subdomain as subdomains don't inherit the SPF record of their top-level domain*.

-A wildcard SPF record (`*.`) is required for every domain and subdomain to prevent attackers from sending email claiming to be from non-existent subdomains. For example:

-```text

-*.subdomain.contoso.com. IN TXT "v=spf1 -all"

-```

-## Troubleshooting SPF

-Having trouble with your SPF TXT record? See [Troubleshooting: Best practices for SPF in Microsoft 365](email-authentication-anti-spoofing.md#troubleshooting-best-practices-for-spf-in-microsoft-365).

-## What does SPF email authentication actually do?

-SPF identifies which mail servers are allowed to send mail on your behalf. Basically, SPF, along with DKIM, DMARC, and other technologies supported by Office 365, help prevent spoofing and phishing. SPF is added as a TXT record that is used by DNS to identify which mail servers can send mail on behalf of your custom domain. Recipient mail systems refer to the SPF TXT record to determine whether a message from your custom domain comes from an authorized messaging server.

-For example, let's say that your custom domain contoso.com uses Office 365. You add an SPF TXT record that lists the Office 365 messaging servers as legitimate mail servers for your domain. When the receiving messaging server gets a message from joe@contoso.com, the server looks up the SPF TXT record for contoso.com and finds out whether the message is valid. If the receiving server finds out that the message comes from a server other than the Office 365 messaging servers listed in the SPF record, the receiving mail server can choose to reject the message as spam.

-Also, if your custom domain does not have an SPF TXT record, some receiving servers may reject the message outright. This is because the receiving server cannot validate that the message comes from an authorized messaging server.

-If you've already set up mail for Office 365, then you have already included Microsoft's messaging servers in DNS as an SPF TXT record. However, there are some cases where you may need to update your SPF TXT record in DNS. For example:

-## More information about SPF

-For advanced examples, a more detailed discussion about supported SPF syntax, spoofing, troubleshooting, and how Office 365 supports SPF, see [How SPF works to prevent spoofing and phishing in Microsoft 365](email-authentication-anti-spoofing.md#how-spf-works-to-prevent-spoofing-and-phishing-in-microsoft-365).

-## Next Steps: DKIM and DMARC

- SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF can't protect against. To defend against these, once you've set up SPF, you should configure DKIM and DMARC for Office 365.

-[**DKIM**](email-authentication-dkim-configure.md) email authentication's goal is to prove the contents of the mail haven't been tampered with.

-[**DMARC**](email-authentication-dmarc-configure.md) email authentication's goal is to make sure that SPF and DKIM information matches the From address.

- For advanced examples and a more detailed discussion about supported SPF syntax, see [How SPF works to prevent spoofing and phishing in Office 365](email-authentication-anti-spoofing.md#how-spf-works-to-prevent-spoofing-and-phishing-in-microsoft-365).

-[Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure)

-*Select 'This page' under 'Feedback' if you have feedback on this documentation.*

-**Summary**: Configure [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md) records (in that order) for all custom Microsoft 365 domains (including parked domains and all subdomains). If necessary, configure any [trusted ARC sealers](email-authentication-arc-configure.md).

-We'll proceed with the assumption that you're using one or more [custom domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) (for example @contoso.com) in Microsoft 365 for email, so you need to create specific email authentication DNS records for each custom domain that you're using for email.

-If you're using the @\*.onmicrosoft.com domain for email (also known as the Microsoft Online Email Routing Address or MOERA domain), there's not nearly as much for you to do:

-**Without a compelling business need that indicates otherwise, we recommend starting with the Standard preset security policy for all users in your organization**. Preset security policies are configured with settings based years of observations in the Microsoft 365 datacenters, and should be the right choice for the majority of organizations. And, the policies are automatically updated to match the threats of the security landscape.

-The results of email authentication checks for SPF, DKIM, and DMARC are recorded (stamped) in the **Authentication-results** message header in inbound messages.

-|`action`|Indicates the action taken by the spam filter based on the results of the DMARC check. For example: <ul><li>`oreject` or `o.reject`: Stands for override reject. In this case, Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC TXT record has a policy of `p=reject`. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam. For more information on why Microsoft 365 is configured this way, see [How Microsoft 365 handles inbound email that fails DMARC](email-authentication-dmarc-configure.md#how-microsoft-365-handles-inbound-email-that-fails-dmarc).</li><li>`pct.quarantine`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=quarantine`. But, the pct field wasn't set to 100%, and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`pct.reject`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=reject`. But, the pct field wasn't set to 100% and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`permerror`: A permanent error occurred during DMARC evaluation, such as encountering an incorrectly formed DMARC TXT record in DNS. Attempting to resend this message isn't likely to end with a different result. Instead, you might need to contact the domain's owner in order to resolve the issue.</li><li>`temperror`: A temporary error occurred during DMARC evaluation. You might be able to request that the sender resend the message later in order to process the email properly.</li></ul>|

-Best practice for domain email security protection is to protect yourself from spoofing using Domain-based Message Authentication, Reporting, and Conformance (DMARC). If you haven't already enabled DMARC for your domains, that should be the first step, detailed here: [Domain-based Message Authentication, Reporting, and Conformance (DMARC)](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure)

-This guide is designed to help you configure DMARC for domains not covered by the main DMARC article. These domains include domains that you're not using for email, but could be leveraged by attackers if they remain unprotected:

-## What you'll need

-1. A flyout will appear on the right. Ensure that the selected Type is **TXT (Text)**.

-1. Add your specific DMARC value. For more information, see [Form the DMARC TXT record for your domain](../email-authentication-dmarc-configure.md#step-4-form-the-dmarc-txt-record-for-your-domain).

-[Set up SPF to help prevent spoofing - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/email-authentication-spf-configure)

-[Use DMARC to validate email, setup steps - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure)

-> For non-standard deployments of SPF, hybrid deployments, and troubleshooting: [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md).

-> - **Latest delivery location** can be unknown if an admin/system action (such as ZAP) was attempted, but the message wasn't found. Typically, the action happens after the user moved or deleted the message. In such cases, verify the **Result/Details** column in timeline view. Look for the statement "Message moved or deleted by the user."

-| Transactional cost | Not applicable | For pay-as-you-go licensing, not applicable. <br>If you still have per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits allow processing of 10,000 file pages. | For pay-as-you-go licensing, not applicable. <br>If you still have per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits allow processing of 10,000 file pages.|

-If you aren't able to create a signature request, check the PDF viewer settings, the collaboration settings, or the access policies.

-This feature lets you translate files of different types either manually or automatically by creating a rule. You can use custom glossaries and models to improve the quality and consistency of your translations.